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DETERMDSHSTICALLY GENERATING BLOCK SUBSTITUTION 
TABLES WHICH MEET A GIVEN STANDARD OF NONLINEARITY 



Inventor: Lothrop Mittenthal 

BACKGROUND OF THE INVENTION 
Field of the Invention 

10 The present invention is directed generally to a system and method of cryptography 

and, more particularly, to a system and method of cryptography that deterministically 
generates block substitution tables which meet a given standard of nonlinearity. 

PgscriptiQn Qf thp BagkgrQund 

Block substitution is a method used to encrypt a clear text message which is in the 

15 form of a sequence of binary numbers. There is considerable interest in the cryptographic 
community in block substitution tables or S-boxes which are highly nonlinear in some sense. 
This is particularly important in Feistel-type systems, of which DES is a prime example. In 
such systems, the key is used to interact with the clear text data and the substitution tables 
serve as barriers to limit access to the key by comparing clear text with cipher text data. The 

20 primary tools of cryptanalysis against Feistel-type systems are differential and linear 

cryptanalysis. The principal foil against these is nonlinearity as typically measured by and 
I4 norms using the Walsh-Fourier transform. Emphasis on these measures is often so great 
that weakness in other measures is accepted in order to achieve high scores in nonlinearity. 
In particular, highly nonlinear tables which are weak in complexity and characterized by short 

25 cycles and multiple fixed points may be used. However, in most Feistel-type systems the 
tables are permanently fixed and pubUcly knoAvn so that these flaws are considered 
acceptable. Another consideration is that these highly nonUnear tables are generally found by 
searching and their properties are determined empirically by testing rather than relying on 
underlying mathematical theory, 

30 Instead of a Feistel-type system, one can also use throw-away, secret tables for one- 

time use and use the cryptographic keys to generate tables, to generate inter-round mixing 
patterns, and effectively, to determine the algorithm rather than to merely mingle with the 
data. Excellent cryptographic strength can be achieved by numerous measures including 
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5 cycle structure, avalanching, bit independence, perfect balance, and nonlinearity, albeit, not 
necessarily with the highest possible I, and norms. 

The prior methods have the disadvantages that they are not flexible enough to meet 
users' needs and the substitution tables are developed by trial and error. Thus, there is a need 
for a cryptographic method that emphasizes designing to the customers* needs rather than 
1 0 offering take-it-or-leave-it products of fixed characteristics. There is also a need for a 
cryptographic method that can be designed to cost, designed to strength, and designed to 
speed, both for data rates and table generation and designed for nonlinearity. There is also a 
need for a cryptographic method that deterministically generates tables that do not have to be 
exhaustively tested. 

1 5 SUMMARY OF THE INVENTION 

The present invention is directed to a method of generating block substitution tables 
for a predetermined block size. The method includes selecting a first generating function and 
selecting a second generating function. The method also includes selecting first and second 
sets of complete linearly independent numbers and calculating first and second linear 

20 orthomorphisms fi-om the generating functions and the sets of linearly independent numbers. 
The method fiirther includes creating nonlinear block substitution tables by combining the 
linear orthomorphisms, the block substitution tables for use in encrypting clear text messages. 

The present invention has the advantage that it deterministically generates substitution 
tables that do not have to be exhaustively tested. The present invention also has the 

25 advantage that it emphasizes designing to the customers' needs rather than offering take-it-or- 
leave-it products of fixed characteristics. The present invention has the further advantage that 
it can be designed to cost, designed to strength, and designed to speed, both for data rates and 
for table generation, and designed for nonlinearity. 
BRIEF DESCRIPTION OF THE DRAWING 

30 For the present invention to be clearly understood and readily practiced, the present 

invention will be described in conjunction with the following figures, wherein: 

FIGS. 1 A-IC are diagrams illustrating a method of finding optimized nonlinear 
mappings of binary numbers; 

FIG. 2 illustrates an automated implementation of a method for generating nonlinear 

35 substitution tables for the general case of n-bit substitution tables; 
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5 FIG. 3 is a diagram illustrating a computer system; 

FIGS. 4A-4D are diagrams illustrating another method of finding optimized nonlinear 
mappings of binary numbers; and 

FIG. 5 illustrates an automated implementation of another method for generating 
nonlinear substitution tables for the general case of n-bit substitution tables, 

1 0 DETAILED DESCRIPTION OF THE INVENTION 

A troublesome feature in discussing nonlinearity is that it has a negative definition. 
F(x) is a linear mapping fi*om a vector space K to another vector space U such that for any 
pair of vectors x and yinV and any real numbers a and 6, F(ax + by) = aF(x) + bF(y), This 
can be extended more generally to operators on Banach spaces or narrowed down to 

15 mappings or functions of the positive integers. In practice, digital data is widely used in 

communications and cryptography and there is much interest in nonlinear mappings of these. 
However, nonlinear means anything that is not linear. Mappings of the form F(x) = ax+6, 
which are termed affine by mathematicians and linear by engineers, are also generally deleted 
firom the leftover characterization of nonlinear mappings or fimctions. The matter thus 

20 reduces to encrypting digital data, bit strings, bytes, blocks, or binary numbers. The process 
of X-ORing such numbers is widely employed because the operations l©0=landO©0 = 
0 are so easy to implement. So no matter what these little batches of bits are called, in block 
encryption n such bits are taken at a time and uniquely replaced with another clump ofn 
binary bits. Thus, for any method of block encryption used, the bijective mappings on 

25 Zl are examined, where is the group of n-bit binary numbers under the group 
operation "®" of addition modulo 2 (X-ORing). There is structure in this algebraic group. 

FIGS. 1 A-IC are diagrams illustrating a method of finding optimized nonlinear 
mappings of binary nxmibers. FIGS. lA-lC illustrate the case when maximal 
orthomoiphisms (i.e. orthomorphisms having no subcycles) are used. At step 12 in FIG. 1 A, 

30 data 10 to be encrypted are input and a block size is selected. Binary numbers, also known as 
bit strings, exist in any block size n, where n is a positive integer greater than or equal to 1 , 
The theory upon which the present invention is based holds for any integer n greater than 1 . n 
is typically 4 or 8. 

lif(x) is any bijective, or 1-to-l and onto, mapping from to , a function: 
35 N(x,y)^f(x)®f(y)®f(x®y) (1) 



-3- 
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5 can be defined. This is a mapping from the product group Z2 x Zj . It is generally not 
onto. In fact, if f(x) is linear, by definition N(x,y) = 0 (where 9 = 00" 0) for all x,y pairs. If 
f(x) is afifine, then by definition/{9) = C 9^ 0 and N(x,y) =J[Q) = C for all x.y e Z\xZ\. 

Without loss of generality, assume thaty(0) = 9. For any mapping where y(9) = C ^ 9, f (x) 

=f(x) ® C can be defined to obtain / (0) = 9. The definition of N(x,y) can also be extended 
10 to: 

{x^y. 6) ^f(x) ® f(y) ®f(x ,y) ®m = N(x.y). (2) 

(x,y, 9) from Z^xZ^^ Z^ is now a mapping of all subgroups G c ZJ such that I G 

1 < 4 with range in Zj . If jc = j^^ = 9, then the input is the trivial subgroup {9} of order 1 . lix 
-y, then {x, 9) is a subgroup of order 2. Otherwise, {x, y,x®y, 9} is a subgroup of order 4. 

1 5 There are (2")^ =2^" x,y pairs considering order, that is, (x,y) ^ (y,x). There are 2" pairs 

each of the form (9, x\ (x, 9) and (x^x). However, (9,9) occurs in each, so that there are 3(2")- 

2 such distinct pairs of these, each of which represents a subgroup of order 1 or 2. The 
distinct pairs are not all unique. This leaves 2^" -3(2")+2 other pairs of the form (x,y) where 
x^yj^Q. Each of these defines a subgroup {jc. y,x®yy 9} of order 4. The number of such 

20 pairs is: 

N= 2'" - 3(2") + 2 = (2''-l)(2--2) (3) 
2 I (2" -2) so 2 1 M Because 3 {2% either 3 | (2"-!) or 3 | (2"-2), Thus, 2-3 - 6 1 N. Let 

z = x®y. Each group of order 4 can be defined by 6 pairs: (x,y), (y,x), (x,z), (z,x), (y,z), or 
{z,y). This proves the following: 

(2" - 1)(2" - 2) 

25 Proposition 1 . In Zj there are -z = ^4 subgroups of order 4. 



Letw = 2''-1. Then54= ^L.« = zfo ) 



(4) 



For a given mapping, one can compute all values of N(x,y). A common block size is 
n = 8. The computer computation time is generally no more than that required for the various 
statistical tests. However, there are some basic ideas. Any subgroup for which N(x,y) = 9 is 
30 a small linear piece. If several subgroups of order 4 take on this value for a particular 

mapping and form a subgroup of larger degree upon which N(x,y) = 0, there is some local 
linearity. If there is a bias in the distribution of N(x,y) such that a disproportionally large 

-4- 
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5 number of subgroups have a single value, the mapping could be locally affine. Thus, it would 
seem that some potentially meaningful criteria would be: 

1 . The range ofN(x,y) is Zl 

2. For any subgroup of order 4, N(x,y) ^ 9 

3. The distribution o{N(x,y) over the subgroups of order 4 should be close to the 
10 theoretical limit of smoothness or minimal lurapiness. 

To accomplish goal number 3, it would be logical to distribute the 2"-! non zero values of Z2 
uniformly over the subgroups of order 4, that is, divide ^4 by 2"-! . 

S, (2"-l)(2"-2) 2" -2 
2" - 1 ~ (2" - 1) 6 " 6 

However, this is an integer if and only if n is odd because, for n odd, n = 2^+1 and (2^**^-2) = 
15 2(2'*-l) = 2(2*-l)(2*+l). This is divisible by 6 because 2 divides 2 and 3 divides either 2*-l or 
2M-1. 

For example, if /j = 8, there are 10,795 subgroups of order 4. The closest that one 
could get to an even distribution of numbers assigned to subgroups would be to have 85 
numbers, each of which is assigned to 43 subgroups, while the remaining 170 non zero 
20 numbers are each assigned to 42 subgroups. 

On the other hand, if /i = 7, there are 2,667 subgroups of order 4. Each of the 127 non 
zero 7 bit numbers could be assigned to 21 subgroups. 

In the following discussion, it is shown how to satisfy the first and third criteria above 
and approximate the second. 
25 The domain of N(x,y) is the collection of subgroups of order < 4, For n~SiX would 

be quite tedious to enumerate all 10,795 subgroups of order 4. However, it is possible to 
arrange the order of the mapping/(^jc^ = so that the algebraic relations among subgroups are 
clearly revealed. Typically, a mapping can be expressed as a table of integers or binary- 
numbers as inputs paired with their encrypted images, as illustrated in Table 1. 

30 



35 
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5 X, J{x,) 1 

^2 A^z) or 2 f(2) 

Xi Jixi) i 

10 x„ Jix^ fa^A) 

where m = 2"- 1 

Table 1 

The subgroups of order 4 can be obtained by taking all triples consisting of pairs of 
numbers and their corresponding sums from the column of input integers on the left. This 

15 leads to redundancy by a factor of 6. The task is much simpler if the two columns in the table 
are properly reordered. 

The group of n-bit binary numbers with group operation bit wise addition modulo 
2 is known to be an R-sequenceable group. (It is not R-sequenceable if the group operation is 
addition modulo 2"). Thus, orthomorphisms of the group exist. In particular, any primitive 

20 polynomial in GF(2") corresponds to a recursive function which generates a linear 

orthomorphism in the form of a permutation of the integers modulo 2" (or with 6 as a 
fixed point and a single cycle of length 2"-!. As illustrated in FIG. lA at step 14, all of the 
linear recursive functions on Zj are generated and then those which are maximal (primitive 
polynomials) are selected. A set of generating functions 16 is stored. In a vector space, a 

25 complete linearly independent set is a collection of elements whose Hnear combinations 

generate the entire vector space. A complete linearly independent set of «-bit numbers is a set 
of n such numbers, all different and all non-zero, in which no member of the set is a linear 
combination of the other n-1 numbers. This complete linearly independent set comprises the 
first n numbers of the orthomorphic permutation. The recursive generating function acting on 

30 this set generates the («+l)th number in the permutation or sequence. The same function 
acting on the 2d through (nH-l)th numbers generates the («+2)th number, etc. The use of 
" recursive functions is not the only way to generate linear orthomorphisms. This can also be 
done algebraically. The orthomorphic permutation or ordering of the non-zero integers has 
the property that if jc,® Xj~ then 



-6- 
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5 x,+j© 'Vy+rf= where the addition of the indices is modulo m, where m = 2"-! , and d is any 
integer Thus, if {x„ Xp x^, 0} is a subgroup, so is {;c,.+^ x^t+dv 9}- Thus, a single subgroup 
generates a family of subgroups all with the same relative spacings between indices. These 
subgroups are called similar subgroups by analogy to similar triangles. This ordering has 
nothing to do with the mapping. If 1 , the first niunber in the natural order, becomes jc,. in the 
10 orthomorphic reordering, then 1 -^fil) and jc,. = 1 ->j{x^ 

A maximal linear orthomorphism, written as a permutation, has the property that: 
x,.,®x,^x,^ (6) 
for all indices k. The integer p is uniquely associated with the generating function or 
primitive polynomial. Finding p is a computationally difficult problem, equivalent to the 
15 discrete logarithm problem. However, for n of moderate size, p can be found by searching. 
Once p is known, it can be used indefinitely. For a spacing s\ 

p(s) again depends upon the generating function and the integer s. If the orthomorphic 
permutation is A, then equation (7) is equivalent to the permutation A\ There is some help in 

20 finding p(s). First of all, if p(s) = /, then p(t) = s. 

At step 18 in FIG. 1 A, the generating functions are arranged in order of their basic 
shift values p. These values are selected integers greater than or equal to n and less than or 
equal to 2" - « . If two shift integers p^ and pj have the property that Pi + Pj = 2", then the 
corresponding generating functions are complementary. These complementary pairs have 

25 some special cryptographic properties. The generating functions could also be ordered 

lexicographically firom the indices in the recursive functions. Complementary pairs could be 
identified in this ordering also. 

Proposition 2. For a power A' of the original orthomorphism, p(2s) = 2p(s). 
Proof; By Definition: 

30 X, ,, © X, ^x,.,^:,^ (8) 

Equation (8) can be rewritten as: 

Considering k-s as an index, the first two terms on the left can be replaced by x^_,,p(,p 
and the third and fourth terms can be replaced by the right side of equation (7). Then 
35 equation (8) becomes: 

^k^-p(s} ® ^k.p{i) ~ ^k.p(2s) ( ^ ^) 

-7- 
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5 Considering k'p(s) as an index, and applying equation (7), x^.^^,^^., 0 x^^^.j^ - x^^^,^^^^,^, 

so that equation becomes: 

^k-2pO}^^ki>(2s) (11) 

Any family of similar subgroups is defined by its spacings, 

X, -> Xj X, (12) 

10 — ^ 

These are respectively (j-i), (k-i) and (k-j). Three additional spacings are the three inverses of 
these modulo m. Thus, each family of similar subgroups is characterized by a family of six 
spacings. There are 2" - 2 such spacings. Thus, if n is odd, as shown above, 6 1 (2" - 2), and 

2" -2 ' 

there are — - — families of similar subgroups, with m = 2" - 1 subgroups in each family. If « 
6 

15 is even, 

2" - 2 = (2" - 4) + 2 = 2(2^-^-2) + 2 (13) 
2" -4 

6 I (2" - 4) so that there are families of similar subgroups plus one degenerate family 

6 

with two spacings, y and ^ , each occurring three times. For example, when « = 8, there 

are 42 families of w subgroups each, all with six spacings, plus an additional family with 

20 spacings 85 and 170 and containing y ^5 subgroups. In this latter family, the subgroups 

are mutually disjoint, except for 6. Thus, Z/ is decomposed into 42 families containing 255 
subgroups each plus a single family of 85 disjoint subgroups of order 4. Another, and 
simpler example is for 

n = 4. In this case there are two families of 15 subgroups. There are two primitive 
25 polynomials and correspondingly two generating functions or maximal linear 

orthomorphisms. OneoftheseisXjt = Xjt^©X;t.5forwhichp = 4. The corresponding 
orthomorphic permutation can be written in terms of an arbitrary complete linearly 
independent set, (x^ x^, x^, x^} as follows: 

(9) (X„ Xj, X3, X4, X, ®.X2, X2©X3. X3© X4, X,©X2©X4, X, © X3, Xj © X4, X, © X^ © 
30 X3,X2©X3©X4, X, ©X2©X3©X4, X, © X3 © X4, X, © X4) (14) 



8" 
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5 For example, if any consecutive pair is added, the sum is four positions to the right of 

the first member of the pair. The three famihes of similar subgroups can be characterized by 
one member each, as illustrated in Table 2. 

Family I Family n Family III 

10 Spacings Spacings Spacings 

1,3,4,11,12,14 2,6,7,8,9,13 5,10 

Table 2 

Family HI consists of the disjoint triples: (1, 6, 1 1), (2, 7, 12), (3, 8, 13), (4, 9, 14), and 
(5, 10, 15) where the above triples are indices of x,., Xy, Xf, in the subgroups. The maximal 
15 linear orthomorphism can also be written as a set of equations, as illustrated in Table 3. 
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e 




x„ 


© 










© 


Xi 
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Xk 
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x„ 


Xm-p 



Table 3 

w = 2° -1. The middle colimm is the orthomorphic permutation written in column form. 
25 Each of the subgroups in Family I is represented by one of the /w = 15 non-trivial equations. 

The spacing 1 means the spacing between the indices in the left and middle columns. There 

are five other arrangements of the columns. Each represents a power of the basic 

orthomorphic permutation. For example, exchanging the left and right columns above 

produces a set of equations of the form: 
30 x^, © X, = x^j (15) 

This represents the power of the original orthomorphic permutation. In the 

example above, p = 4. 

Thus, each family of subgroups, when arranged in a linear maximal orthomorphic 

order, represent powers of that same permutation. The power is the spacing of indices 



-9 
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5 between the left and middle columns. For the recxirsive function above, = x^^ © jcjt., on Z/, 
the powers of A are; 

Family I Family n Family in 

A. A\ A\ A'\ A'\ A'' A\ A\ A\ A\ A\ A'' A\ A'' (16) 

In Families I and II, adding two subgroups by respectively adding the nimibers in the 
10 corresponding positions produces another triple in the same family. For example, {x^, x^h^ 

Xk^^} + W ^i-i' } " ^H/} where x^ © =x,,. 

When two triples from Family I or two triples from Family II are added together 
component-wise like vector addition, the resulting triple of numbers is another from the same 
family with the nimibers in the same order. In the case of Family HI, the degenerate family, 

1 5 adding together two triples as described above produces another triple of numbers in the same 
family, but in a different order. However, the specification of the subgroup does not depend 
upon its order. Thus, each family is a subgroup of the product group 2^ x 2^ x Z/. If any 
pair of subgroups of order 4 is combined in this way, without regard to order of group 
elements, e.g., 

20 x,©x,=jc, 

^J®±^ (17) 

(jCa © XO © © JCe) = (Xc © X/) 

then the sxrni is clearly a subgroup and must be in one of the families or a subgroup of order 1 

or 2. This pattern holds for any n even. 

This same pattern holds in general, and in particular for ?i = 8, which is a common 
25 block size for encryption. In that case there are 42 families or product groups each containing 

255 subgroups of order 4 and 1 degenerate family of 85 such subgroups as mentioned above. 

There are 16 generating functions for maximal linear orthomorphisms in 2^ corresponding to 

the 16 primitive polynomials. Any one of these is selected and the corresponding shifl p is 

used to select the spacings for the first family of subgroups of order 4. These 6 spacings are: 
30 l,/7-l,/7, m-\, m-p-^l, and m-p. For the second family, any spacing is chosen, that is, any 

integer 

1 <s<m'\ which has not already been used. This and p(s) will generate the remaining four 
spacings. Selecting any 5 and determining the corresponding value of p(s) may require some 
searching. However, one Syp(s) pair will yield up to 2«-l additional pairs. Thus, finding the 
35 42 families of subgroups is not an exhausting task. 
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5 A Straightforward approach of designing to nonlinearity is first to determine the 

desired nonlinearity and then work backward to find a mapping that meets this requirement. 
For example, it would be tempting to take the family of subgroups in Zj x x of order 
w = 2'*-l defined by triples whose indices in the orthomorphic permutation are given by jc^, 
Xh7, Xjt+j.;.. One could take the m non-zero numbers in Z J and assign them one each to the m 

1 0 triples to serve as the N(x,y) value for that subgroup. Then one could look for a mapping to 
fit this. But each number appears in three subgroups of order 4 in the product group or 
family, so there are constraints within the family. One cannot, in general, find a mapping 
which will satisfy an arbitrary assignment of values o{N(x,y), 

The selection of N{x,y) values in one family determine those in other families. Only 

1 5 one family of subgroups need be dealt with so that the task is manageable even for relatively 
large block sizes «. 

More generally, consider any subgroup of order 4 in one of the non-degenerate 
product groups (family of subgroups). The subgroup, omitting the identity element G, can be 
written as: 

20 x,,x,yX, (18) 

where Xc = x^® and a, b, c are the indices or positions of the respective numbers in the 
orthomorphic permutation. This notation can also be abbreviated as a, b, c. One could 
proceed as follows: 

1 . Assign any number to N{x^, x^ ^ 6 
25 2. There are m choices iorf[x„) and m-1 choices foYj{x^) to be consistent with the 

choice for A^(;c„, x^). Of course, J{x,) is then fixed. 

3. X,, Xk, and x, each occur in two more places in the same family. Assuming that all 
values of N{x,y) have aheady been assigned, there are six other subgroups in the 
same family where there will be one choice to be made in assigning some value to 

30 fiXf) for a, bore, 

4. There will be w-7 other subgroups where assignments ofjlpcj^ must be made, 
starting in the same way and consistent with the first seven. 

5. The other families or subgroups will be fully determined by the first. 

6. This process will continue until all assignments have been made or an irresolvable 
35 snag has been encountered. 
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5 For any bijective mapping on ZJ , one could enumerate all of these subgroups, list 

the corresponding values of f(x)^ and compute l^(x,y). From a set oiN(x,y) values, one could 
work backwards to find the consistent values of f(x,). The process can be illustrated as 
follows: 

1 . Choose an initial subgroup 

10 x^Xy, x, where = x„ © x^ 

2. Choose N{x^ x^) m choices 

3 . Choose f(xj m choices 

4. Choose/(3cJ at most ;w-l choices 

5. Record values of f(x^), fix^) and fix,) in other subgroups. 

15 6. Proceed to the next subgroup, but with restricted choices. Completing one non- 

degenerate family will fixlly determine the others. 
7. This process has been done successfully for w = 3 but it is difficult to extend it for 
n>4. 

Again, for n even, one could start with the degenerate family with spacings 

20 — and — where m = 2''-l . Let Z> = ^ and c = ^ . The family can be written as 
3 3 3 3 

illustrated in Table 4. 

Xii -^frf2» ^c^2 



m 

where 1 ^ "J • 
Table 4 

The columns are paired with another column as illustrated in Table 5. 



-12- 



5/1 1/05, EAST Version: 2.0.1 .4 



wo 00/10285 



PCTAJS99/18538 



^2 



Table 5 

The right coliunn in each pair can be rotated and represent the mappiagffx) of the number in 
the left column as illustrated in Table 6. 



X f(x) X f(x) X fix) 





1+^(1) 




(2) 




(3) 




•^cf 2+^(1) 




•^^+4 (2) 




^M-2+-d (3) 






Xc 


-^^-4 (2) 




-^cf ^ (3) 



10 , Table 6 

This will be a bijectivc mapping deterministically. The numbers A(l), A(2) and A(3) 
are arbitrary fixed increments to the indices to permit rotating the right colimms to avoid 

duplication of N(x,y) values. With a little movement up or down, it will produce y distinct 

values of N(x,y). The pattern of value of N(x,y) in the other families of subgroups will be 
15 fully determined but it is difficult to predict in advance for which subgroups N(x,y) = 0 and 
the distribution of the other values. This information can be obtained by computer analysis. 

Another method is next discussed which determines and optimizes the entire N(x,y) 
pattern. The immediately preceding discussion gave a method of designing mappings which 

ensure that the range of N(x,y) has at least y values of . The following approach obtains 

20 the full range of values and in an optimized distribution, as well. 

In Zj the subgroups of order 4 fall naturally into families with 2''-l subgroups in 
each. At step 20 in FIG lA, any primitive generating function with some shift integer/? is 
selected and the first maximal linear orthomorphism is constructed. A generating function 
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5 selector 22, which may be, for example, a key is used to select the first generating function. 
If the natural order of the numbers is replaced by a maximal linear orthomorphic ordering, 
each full family represents that orthomorphisra. The family can be expressed as follows, 
omitting the fixed point 9: 

10 X, © ^2 = x-^^ 



m-p 



15 Table? 

The numbers in the right column are sums of the corresponding pairs in the left and 
middle colunms. This is because they are subgroups and independent of the orthomorphism 
which has only determined the order of the triples, but not their contents. Next, another 
maximal linear orthomorphism is selected with a different generating function. This can be 

20 represented by a set of equations of the form: 

® yx = y\^ 
yi ® >'2 = yi^ 

ykA ® yk ^ yk^ 
25 y„A ® 7« = y^^ 

Table 8 

q is the shifl of the permutation as written in the middle column, q is uniquely associated 
with the generating function, so q^p where p is the shift associated with the generating 
function of the first orthomorphism. 
30 Next, the second orthomorphism is used as the rmppingj{x) on the clear text numbers 

Xf as arranged in the families of subgroups by settingy(x,) dndJ[Q) = 8, The set (y^ } 
becomes the cipher text. This arrangement is shown pictorially as follows: 
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5 First Orthomorphic Permutation: (9) (^p ^, . . - , Jc,,, . . ^ J (19) 

Second Orthomorphic Permutation: (0) (y„ yj, . . Yk. • • m yj (20) 
The same mapping -)';^, is defined using either the left or middle columns in Tables 
7 and 8. This is because in both orthomorphisms, the left column is displaced down one 
position from the middle column. However, in the right column the first orthomorphism is 
1 0 displaced by p positions and the second orthomorphism by q positions, where p^q^ Thus, 
the right column of the orthomorphism in Table 8 does not represent the mapping ;c,. -> 
because p'^q and 

k-p^k-q in general. The mapping is represented in Table 9 where in each pair of rows the 
jc value is mapped to the value below, each x row represents the first orthomorphism and 
1 5 Xjt.; ®X), = but the y rows do not represent the second orthomorphism and j^^,, Qy^^^ y^,.^. 



25 



yi 



20 y,, y2^ 

y^-i yk 



ym-\ ym 



Table 9 

Each number X,- occurs three times in this family of subgroups, that is, once in each 
column. There is no conflict in these assignments because the same mapping./f'x^ =y^ holds 
30 in each column. 

. M^*... =M.>) ©X^... ©-^») (21) 
=M.,)®M)©y(^^,) (22) 
with the cryptographic mapping as defined above, this becomes: 

^.) =y^^®yk®yu^=y^® y^ (23) 
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5 because: 

ykA =;'m (24) 

thus: 

N{x^.v 0 because * (25) 
If the l^{^,y) values in Table 9 are tabulated, the following listing for the 2"-l = w 
10 values in Table 10 are obtained. 



yi-, ® yi^ = Mjci.^z) 
® yt-p = M^*.i.^*) 

15 : 

y.., ® y^i, = N{x„.^,xj 

Table 10 

The two y columns each represent the same orthomorphic permutation with one 
rotated from the other by a shift of q-p = r. This can be expressed by a set of equations. 
20 ® y, = 

yi. ® yi = >'2^w 



® yk 



25 © y„ = 

Table 11 

This represents the power r of the orthomorphic permutation (0) (yi, >2 - •» Thus, 
by definition of an orthomorphism the set {y*^,)} are distinct and comprise all non-zero 

numbers in Zj. 

30 The analysis so far has considered only one of the families of subgroups of order 4. If 

2" -2 2" -4 

n is odd, there are -1 remaining such families, and if n is even, there are — - — such 
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families plus one degenerate family of ~ subgroups. Consider any other non-degenerate 

family. As discussed hereinabove, such a family can be characterized by a common set of 
spacings among group elements in similar subgroups. Any such set of spacings can be 
represented by a set of equations as in Table 7, but this time representing some power s of the 
orthomorphism which determined the order of this family: 



10 




Xi = 








Xl = 








Xk . 








x„ . 


■*"-(Xi) 



15 Table 12 

The corresponding mapping has already been determined in Table 9 byy^ ^A^d* 
Also, N{x,^ X,) =y{xj ®J{xd - A, ®yk®yk-pis) =>'m.)® ^m.)^ ^ Table 10. 

Because p ^gwd because the family of subgroups is not degenerate,p(i')9i: q(s) y^^^,^ ® Apcd 
are sums of equally spaced pairs from a maximal linear orthomorphism, for all values of k 

20 from 1 to m. Thus, each sum is distinct and Nix^.,, x^) takes on all possible values except 9. 

If n is even, there is a degenerate family of subgroups with spacings y and 2 y . 

This family corresponds to a power of the orthomorphism where or5 = 2y. That 

is, the subgroups of order 4 are arranged in the order specified by A\ For all maximal linear 

orthomorphisms, regardless of generating function, if 5 = ~ , then p{s) ^ 2 y , and \{s = 2 — , 

m mm 
25 then p{s) = -j . Referring back to Tables 1 1 and 12, for any row and ^ = y or 2 y : 

yk. ® yt = (26) 
Xts ® X, = x*.^,, (27) 
In this special case, q{s) = p(s) and N{x,^,, = j^*.^,; © y,.,^,^ = 9. 



255 

For example, if « = 8 and j = 85 = 
30 then: 
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5 -^wi® -^t^-^A+w (28) 

and: 

yk^5®yk^yk.ss (29) 
for all generating fiinctions, and M^wi, x^) = Vkss ^yt® yk+« = 9. 

This degenerate family consists of ^ subgroups and thus ^ values of N(x,y) = 6, where 
tH (2" — 1) 

10 y = — - — . However, for the remaining subgroups N(x,y) ^ 9, and the number of these 
latter subgroups is: 

(2" - 1 )(2» - 2 ) _ ( 2" - 1) K?" - 1) (2" - 4) (30) 
6 3 6 

Thus, for n even, the ratio of subgroups for which N(x,y) = 9 to subgroups for which 
1 5 N(x,y) ^ 9 becomes: 

2"-l 1 



(2" -l)(2"-4) 2" -2 



(31) 



which is — for 8-bit numbers. However, for n odd, there are no degenerate families of 
126 

subgroups and the ratio is zero, that is, for all subgroups of order 4, N(x, y)^Qmd is evenly 
distributed. 

20 The procedures described hereinabove using N(x,y) measure the nonlinearity of a 

mapping/fjc) of n-bit numbers to n-bit numbers. In some cases there is an interest in 
measuring the nonlinearity of the imderlying Boolean functions. These are functions /fx> of 
«-bit numbers to a single bit, in the ith bit position of the encrypted number or block, n such 
Boolean functions are required to represent the mapping /(^xj from /z-bit numbers to «-bit 

25 numbers. The nonlinearity of these underlying Boolean functions is typically measured by 
the Lj and L, norms using the Walsh-Fourier transfonn. At step 24 in FIG. 1 A, it is 
determined if the nonlinear mapping to be generated must have optimized L, and L4 norms in 
the Walsh-Fourier transform. The nonlinear mappings derived by the method of the present 
invention also produce very good L, and norms if, as at step 26 in FIG. IB, optimized 

30 norms are not required and any one second primitive generating function is selected for which 
Pj ;6 Pi. A key 27 is used to select the second generating function. However, if the theoretical 
optimized limit of these norms is required, this auxiliary requirement can be achieved by 
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5 selecting as the second maximal linear orthomorphism that one which is derived from the 
primitive polynomial which is the complement of the first primitive polynomial, that is, 
where 2" - Pi, as illustrated at step 28 in FIG. IB. The trade off is that the choice of the 
second generating function is now restricted and the key size is reduced. However, the 
variability derived from a free choice of complete linearly independent sets supplied to the 
1 0 recursive generating functions is not altered. 

At step 30 in FIG. IB, two complete linearly independent sets of n-bit numbers are 
selected. As described hereinabove, a complete linearly independent set of «-bit numbers is 
one in which no member of the set is a linear combination of the other n-1 numbers, A key 
31 is used to select the sets of numbers. The two sets of «-bit numbers can be selected using 
1 5 a number of different techniques. For example, the most general method, but not the most 
efficient method, is as follows: 

Step 1 : Select arbitrarily or randomly any n-bix number. If it is not identically 

zero, accept it as a member of the set. There are 2"-l choices. 

Step 2: Similarly select any non-zero number different from the number 

20 selected in Step 1 . There are 2"-2 choices. 

Step 3: Select any non-zero number different from the numbers selected in 

Steps 1 and 2 and not equal to their sum. Equivalently, choose any number not in the 
subgroup generated by the numbers selected in Steps 1 and 2, There are 2"-2^ choices. 
Step 4: Choose any number not in the subgroup generated by the numbers 

25 selected in Steps I through 3. There are 2"-2^ choices. 

Continue in this manner until reaching the last step. 
Step n: Choose any number not in the subgroup generated by the numbers 

selected in the first nA steps. There are 2"-2"'* '2"'^ choices. 

To perform the above process deterministically, that is, to ensure that the choice made 
30 in each step is valid, the previous choices must be stored and the remaining range of valid 
choices for the next step must be computed. However, the n choices could be made 
independently without any bookkeeping or computation, and the n numbers selected could 
then be checked for linear independence by, for example, using the Gauss- Jordan method. 
This could be done quickly with the random selection. For « = 8, the probability of success is 
35 29, If 10 such sets were generated, the probability of success at least once is .97. The 

tradeoff between these two variations is in processing time and memory. In either case, with 
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5 a random selection, all possible complete linearly independent sets are obtainable with equal 
probability. 

Another example of a method to select the two sets of linearly independent numbers is 
as follows. An arbitrary nxn matrix of rank n is generated. The rows and columns by 
definition are complete linearly independent sets* Applying elementary row and column 

10 operations to this matrix produces new rows and columns which are again complete linearly 
independent sets. Inherent in this process is the restriction that no row or colxmm can be 
added to itself. All possible complete linearly independent sets are theoretically reachable, 
but it is not obvious how many operations are needed to reach all possibilities with equal 
probability. U. S. Patent No. 5,778,074 issued to Garcken et al. and entitled "Methods for 

1 5 Generating Variable S-Boxes From Arbitrary Keys of Arbitrary length Including Methods 
Which Allow Rapid Key Changes", which is incorporated herein by reference, is a special 
case of this in which elementary row operations only are appUed to a matrix which has all 
ones on the main diagonal and zeroes elsewhere. With a limited key size and differential 
treatment of the individual rows, all complete linearly independent sets are not available or 

20 uniformly distributed. However, it is fast and does not require side computations. 

Another example of a method to select the two sets of linearly independent numbers 
utilizes a maximal length linear orthomorphism written as a permutation of the 2" «-bit 
binary numbers. The term "maximal length" as used in this method means that tiie 
permutation has no subcycles except a single fixed point containing just zero. Any set of or 

25 equally spaced numbers in the permutation is a complete Imearly independent set. For a 

given fixed orthomorphism, there are 2"''-! distinct spacings and 2"-! starting points. For n = 
8, this would generate 32,385 complete hnearly independent sets. More sets could be 
obtained by using more orthomorphisms. No computation or checking is required. However, 
on rare occasions, the orthomorphism generated by the complete linearly independent set 

30 could be the same as the orthomorphism firom which the complete linearly independent set 
was selected. 

The methods of selecting the two sets of linearly independent numbers illustrated 
hereinabove are illustrative of the methods that may be used. Any of the methods illustrated 
or any suitable method may be used to select the two sets of linearly independent numbers. 
35 At step 32 in FIG. IB, a first maximal linear orthomorphism written as a permutation 

(9) (Xf, JC;, JC3,...) is generated using the first set of «-bit numbers and the first generating 
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5 function. At step 34, a second maximal linear orthomorphism written as a permutation (0) 
(y> J^^ yp'-) is generated using the second set of n-bit numbers and the second generating 
function. 

At step 36 in FIG. IB, it is determined if mappings (block substitutions) with fixed 
points are acceptable. A fixed point is a block or number which is mapped to itself, i.e. not 
1 0 encrypted but sent in the clear. At first it would seem unacceptable to permit more than an 
occasional fixed point. Nevertheless, a number of S/P systems, such as DES, accept multiple 
fixed points. If an empirically designed S-box contains some fixed points but otherwise 
meets the desired measures of cryptographic strength, it is tempting to search no further. 
At step 40 in FIG. IC, the two orthomorphic permutations are paired as follows; 
15 (9) (x„ x^, Xj,...) 

(9) (ynd, y2.d. yj^d."-) 

The mapping is defined as f(Xi) = yj+j, where x^ is the clear text and y^+d is the cipher text. 
At step 42 in FIG. IC, the two orthomorphic permutations are paired as follows: 
(9) (Xi, x^, X3,...) 

20 (9)(y.,y.,y3,..,) 

The mapping is defined as f(Xi) = yi, where X; is the clear text and y^ is the cipher text. 

Because the two orthomorphic permutations have been derived from the same 
complete linearly independent set, rotations which eliminate other fixed points can easily be 
foxmd. There are now no fixed points except /(^ = 6. The overall variability has been 

25 slightly reduced. At step 38 in FIG. IC, the second orthomorphic permutation is rotated by 
some number of positions d so that x^ ^ y^+^ for all values of i. 

FIG. 2 illustrates an implementation of a method for generating nonlinear substitution 
tables for the general case of w-bit substitution tables. At steps 44 and 46, two complete 
linearly independent sets of n-bit numbers CS1[1], ...CSl[n] from n* (n-1) bits of key 

30 material and CS2[1 ], ...CS2[n] firom key material are generated fi*om binary data 48. Such a 
set of numbers is one in which no member of the set is the sum of any of the other n-1 
numbers in the same set. This is a fundamental concept in linear algebra. Such sets can be 
constructed in many ways, including the methods "described hereinabove. At step 50, the first 
n elements of two arrays Al and A2 are set as A1[0] = A2[0] = 0, Al[i] = CSl[i], and A2[i] = 

35 CS2[i] for i = 1 through n. At steps 52 and 54, each complete set is used, along with a 

recursive generating function, to generate maximal linear orthomoiphisms which are special 
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5 types of one-to-one mappings of some finite set onto itself. At step 52, a generating fimction 
Gl is applied recursively, using Al [i-n] through Al[i-1], to determine Al [i] for i = n+l 
through T' I . At step 54, a second generating function G2 is applied recursively, using 
A2[i-n] through A2[i-1] to determine A2[i] for i = n+1 through 2"-l. At step 56, an «-bit 
substitution table, consisting of 2" entries, is generated such that if an element of the middle 

10 column of the first linear orthomorphism is used as an index into the substitution table, the 
value at that index is the corresponding element of the middle column of the second linear 
orthomorphism. The substitution table S is set as S[Al[i]] = A2[i] for i = 0 through 2"-l. 
More specifically, let x^, ;c^, . . x„ . . . . x„ be the elements of the middle colunm of the first 
linear orthomorphism and let^y, . . . y,, • • . y„ he the elements of middle column of the 

1 5 second linear orthomorphism, as represented in Table 9. Then, letting S represent the 
substitution table: 

S[x^ = J'i> for i from 0 to 2''-l (41) 
As an example, for « = 8 (i.e., for 8-bit, 256-entry, substitution tables), there are 16 

different recursive generating functions which may be used to generate the two maximal 
20 linear orthomorphisms needed for this method. The two linear orthomorphisms must be 

generated using two different generating functions. Table 13 Usts the sixteen recursive 

generating functions, organized into eight complementary pairs. 





Generating Function 


Complementary Generating Function 




Xi = Xi_g © Xi^ ® Xi,3 ® 


~ -^W ® ® H 




25 


Xi = Xi_s © © Xi,s © Xi,i 


Xi = Xi^®Xi^S@Xi. 


3®^W 




Xi = x^,^ © x,..^ ® -r,-.5 © Xi,2 


Xi"Xi^® Xi,^@ Xi, 


3 ® ^2 




Xi = X^^ ffi © Xi^3 © Xi,i 


^/ = ^M® ^/-7® 


J® ^/-J 






Xi = Xi^®Xi_;^®Xi, 


3®Xi,2 




~ ® ^1-7 ® ® ^i-l 


X/ = X;^©-t,-.7©X/. 


2®Xi.f 


30 


Xi = X/.^® Xf,j © X(,^ © Xf,^ © Xf,2 © Xi. 


/ Xi = Xi.3@ Xi,j® Xi_ 


(j©A:y_j©X^.2® Xf.y 




Xi = Xi^ © © Xj^ © X/.j © Xi,2 ® ^i- 




^j® a:,-.5© Xi,4® Xi^2 



Table 13 

The method described in FIG. 2 works for any integer n greater than two. Also, there 
are many more recursive generating functions than those related to primitive polynomials. 
35 Specifically, there are 2""^ such fimctions, and all can be used for this purpose. A knowledge 
of these recursive generating fimctions is a convenience, not a necessity. The same 
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5 orthombrphisms can be generated algebraically and without use of the generating functions, 
although the latter provide an efficient mechanism. Linear orthomorphisms can also be 
generated from the theory of traces in Galois Fields. 

FIG. 3 is a diagram illustrating a computer system 58. Computers 60 and 62, which 
can each execute the method of the present invention, can transfer data via a communications 

1 0 link 64. The computers 60 and 62 may be any types of computers which have data transfer 
capabilities such as, for example, Apple Macintoshes, IBM compatible PCs, workstations, 
mainframes or minicomputers, or application-specific integrated circuits (ASICs). The 
communications link 64 can be any type of medium suitable to transfer data such as, for 
example, the Internet, a local area network, a radio frequency (RF) link, or a hardwired link. 

1 5 FIGS. 4A-4D are diagrams illustrating another method of fmding optimized nonlinear 

mappings of binary niunbers. The method of FIGS. 4A-4C is applicable when the linear 
orthomorphisms have self-contained cycles in which the sum of two consecutive numbers in 
a cycle is contained in that same cycle, i.e. instead of having one cycle of length 2"-l and a 
fixed point, the orthomorphisms have sub-cycles. The orthomorphisms must have the same 

20 cycle structure, i.e. the orthomorphisms have the same number of cycles and each individual 
cycle pair has the same size such that they match up. The foregoing can be explained by 
analogy. If the orthomorphisms are analogized to pairs of wheels, or disks, the disks with the 
same nximber of entries would be paired. Each disk can be rotated with respect to the other, 
but each disk and each cycle must have the same number of elements. 

25 At step 102 in FIG. 4A, a block size n of binary data 100 is selected. The block size 

can be selected as described hereinabove in conjunction with FIG. 1 A. At step 104, the 
recursive generating functions are tabulated, stored as stored generating functions 106, and 
listed at step 108 as described hereinabove in conjunction with FIG. 1 A. At step 1 10, any 
first non-primitive generating function with cycles is selected with a key 1 12. If n=8, there 

30 are 64 generating fimctions, 48 with cycles, some of which are self-contained and some of 
which that are not, and 16 which are maximal. Thus, at step 1 10, when n=8, a generating 
function is selected from those with cycles which are self-contained. 

At step 1 14 in FIG. 4B, a key 1 16 is used to select a second non-primitive generating 
function for which the cycle pattern is the same as in the first generating function selected at 

35 step 110. At step 118, two complete linearly independent sets of numbers are selected using a 
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5 key 120. The linearly independent sets of numbers could also be selected deterministically 
without using the key 120. 

At steps 122 and 124, first and second linear orthomorphisms are generated, 
respectively. An example follows to illustrate how the linear orthomorphisms are generated. 
For n=8, the recursive generating function is a function of the eight nxmibers, or it may skip 

10 some and assign a 0 to them, but the generating function is essentially a ninth number, which 
is generated using numbers 1-8. A tenth munber is generated using the recursive generating 
function and numbers 2-9, and an eleventh number is generated using the recursive 
generating function and numbers 3-10. When the orthomorphisms have subcycles, a portion 
of the orthomorphism will is generated with the complete hnearly independent sets being 

15 operated on by the recursive generating function. The remainder of the orthomorphism is 
generated using algebraic principles. The sums of the numbers in the orthomorphism can be 
thought of as vectors, and thus the left number in the first vector can be added to the lefl 
number in the second one, the right number of the first one can be added to the right number 
of the second one, and the middle number of the first one can be added to the middle number 

20 of the second one, which yields another vector in another cycle. If the vector is in the same 
cycle, it is discarded. The remaining numbers in the orthomorphism are thus generated 
because the cycles which were generated using the generating function has a complete 
linearly independent set of vectors and by definition the entire group will be generated. 
Another method of generating the orthomorphism with cycles is to not use the 

25 recursive generating function. First, n linearly independent numbers (x^, x^, x„) are 
selected as is done when recursive functions are used. Next, the number x„4i is selected, 
which gives n equations of the orthomorphisms. These numbers can be used to construct n-1 
equations of the linear orthomorphism: 
_ + x, =_ 

30 x, + X: = Z2 

X2 + Xj = Zj 

x„ = _ (42) 
These n-1 equations consist of n-1 linearly independent numbers in each column. 
35 Each such set could generate a maximal subgroup of , i.e. 2'* ' numbers which comprise 
half of the total. Correspondingly by taking Unear combinations of these n-1 equations 
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5 viewed as vectors, one could generate half of the orthomorphisms represented by such a set of 
equations. If a vahd value of x**** were assigned, an nth equation would exist: 

x„ + x,„ = z^, (43) 
With n such equations, the entire linear orthomorphism can be constructed by taking 
linear combinations of all n equations. The question is, what values for x„+, will serve to 
10 generate a valid set of equations to generate the entire orthomorphism. 

The n-1 numbers {Xj, Xj, x„} generate a maximal subgroup Mo of Z J . 
Correspondingly, the numbers {Zj, Z3, , . ., z„} generate another such maximal subgroup, Ro- 

It can be shown that if x„+, g M R<j, it is a valid choice in the sense that an orthomorphism 

will be generated. This means that x^^i must not be in the subgroup Mo but it must be in the 
1 5 subgroup R<,. There are 2"-^ possibilities, i.e. 64 choices if n=8. Of these 16 will produce 

maximal linear orthomorphisms and 48 will yield cycles. If a value for x„„ is chosen 

differently, no orthomorphism will be generated. 

Alternatively, the x„+, number can be used to find recursive functions as described 

above. The choice of x„+, is restricted as follows. The numbers selected so far are the 
20 complete linearly independent set { Xj, Xj, x„ } . Omitting Xj, the remaining n-1 numbers 

{X2, xJ generate a maximal subgroup, x„^, must be in the complement of that subgroup. 

There are n-1 equations initially generated: 
x, -f X, = Zj 

25 

x., + x,-z„ (44) 
x^, must also be in the subgroup generated by {z^, z„}. 

At step 125 in FIG. 4B, it is determined whether the cycles are all self-contained. If 
the cycles are not self-contained, the flow proceeds to step 127 of FIG. 4D, where pairs of 
cycles are selected from the first and second orthomorphisms, respectively so that N(x,y), 
defined below, takes on all possible values except zero. 

When the cycles are not self-contained, the sums of consecutive pairs of numbers in 
one cycle will be in another cycle. Because the starting point of a cycle in a permutation is 
arbitrary, it is not possible to derive a shift distance, e.g. (1234) is the same as (2341). 



30 



35 
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5 However, it is still possible to identify complementary orthomorphisms because the 
complementary generating functions can be identified. 

A common example can be illustrated for the case when n=8 and there are 2°-l=255 
such nonzero binary niunbers. On occasion, linear orthomorphisms will occur in three non- 
self contained cycles of 85 numbers each. The cycles can be represented as: 
10 (9)(x,X2...X85)(yiy2...y85)(ZiZ2-Z85)- Representing these orthomorphic permutations as arrays of 
equations, one has: 

® X, = y, 

cycle 1 X, ® Xj = yj 



15 



20 



X84©X85 = y85 (45) 



© Yi = Zi 

cycle 2 yi © yi = ^2 



y84©y85 = z85 (46) 



Zss © Zi - Xp 

25 cycle 3 z, © Zj = x^+i 



Z84 © Z,5 — X^84 (47) 

30 Because the order of the x's was set in cycle 1, it cannot be arbitrarily reassigned in 

cycle 3. This integer p is analogous in the shift in orthomorphisms with only self-contained 
cycles. Designating this as orthomorphism 1, note that for Xj and Xj^., in cycle 1, the sums y^i 
are in cycle 2. Similarly, the sums of consecutive numbers in cycles 2 and 3 are respectively 
in cycles 3 and 1. 

35 A second linear orthomorphism of the same form can be represented as follows: 
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10 



U„©U«5 = Vb5 



(48) 



® V, = W, 



cycle 2 



V, © V2 = W2 



15 



20 



V84®v«, = w„ (49) 



© W, = Up 

cycle 3 w, © W2 = Up^, 



© = iVm (50) 
The nonlinearization can be accomplished by using orthomorphism I as the clear text 
numbers and orthomorphism 2 as the cipher text munbers, as usual. However, instead of 
25 having a single method Xj -> f(Xi) = y,, with possible rotation of one orthomorphic 
permutation with respect to the other, there are now multiple possibilities. 

When the value f(Xi) is assigned as the encrypted value of Xj, the numbers are assigned 
to encrypt the middle column of numbers x^ in the array of equations. The numbers in the left 
column are encrypted by the assignments made in the middle column or position of the 
30 previous equation. The numbers in the right column are encrypted by subsequent 

assignments in the middle column further down for self-contained cycles, and in the middle 
column of another cycle in the non self-contained case. 

The essential requirement is that N(x,y) = f(Xi.,) ® f(x,) © f(Xi., © Xj) most of the 
time and that N(x,y) takes on all nonzero values. In the present case, there are more choices 
35 to make than simply a rotation of cycles. 
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5 The following procedure is an example of handling cycles which are not self- 

contained. This example is for the common case of n=8 with three equal length cycles. 
Encrypt cycle 1 of orthomorphism 1 with cycle 3 of orthomorphism 2: 
fi[X() = Wfc for some k (51) 
Encrypt cycle 2 of orthomorphism 1 with cycle 2 of orthomorphism 2: 
10 f{yi) = Vk for some k (52) 

Encrypt cycle 3 of orthomorphism 1 with cycle 1 of orthomorphism 2: 
f(Zi) = u^ for some k (53) 
Consider the encryption of cycle 1 : 
N(x,,,xO = f(xM) ® f(x,) © f(x„ © Xi) 
15 =w,,©w,©f(yi) 

= u^,,©v,^e (54) 
Because u is in cycle 1 and v is in cycle 2 of orthomorphism 2, they must be different, 
but u © y = 9 implies that u=v. 

For the encryption of cycle 2: 

20 N(y,,yO = f(yM) © f(y,) © f(y., © y) 

= v,.,®v,©f(zO 

= Wk©Uk5^9 (55) 
for the same reason. 

For the encryption of cycle 3: 
25 N(Zm,zO = f(Zi,,) © f{zd © fl^-, ® zO 

= u,.,©u,©f(x^,) 

= V, © Wj ^ e (56) 

for the same reason. 

However, when matching pairs of cycles to define the encryption pattern, rotation 
30 may be necessary to eliminate fixed points, but the nonlinearity is independent of the rotation. 
Other methods of assigning the mapping x £(x) require rotation of cycles to avoid 
N(x,»,xJ = e. 

The flow then proceeds to step 129, where it is determined if fixed point mappings are 
acceptable. The flow then proceeds to either step 132 or 128, which are described 
35 hereinbelow. 
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5 If the cycles are self-contained as determined at step 125, the flow proceeds to step 

126 where it is detemined whether fixed point mappings are acceptable and, if not, the flow 
proceeds to step 128 of FIG. 4C. At step 128, the corresponding cycles of the second 
orthomorphic permutation are rotated. Then, at step 130, the corresponding cycles of the 
orthomorphic permutations are paired and the mapping is defmed as f(Xi)=Yi+d. If fixed 

10 point m^pings are acceptable as determined at step 126, the flow moves to step 132, where 
the corresponding cycles of the orthomorphic permutations are paired and the mappings are 
defined as {{X^)~Yi, This ensures that non-self contained cycles are matched such that N(x,y) 
^0, This cannot be done arbitrarily. 

FIG. 5 illustrates an automated implementation of another method for generating 

1 5 nonlinear substitution tables for the general case of n-bit substitution tables. At step 136, a 
complete set of n linearly independent n-bit numbers is generated fi'om binary data 134 as 
described hereinabove in conjunction with FIG. 2. At step 138, a second complete set of n 
linearly independent n-bit numbers is generated. At step 140, the first n elements of Al and 
A2 are set and at step 142 a generating function is applied recursively to generate a major 

20 cycle of the first orthomorphism. Alternatively, the major cycle can be generated 

algebraically, as described hereinabove. Steps 140 and 142 are performed as in FIG. 2. 

At step 144, the remaining cycles of the first orthomorphism are generated 
algebraically as discussed hereinabove in conjunction with FIG. 4B. At step 146, the second 
generating function is recursively applied to generated a major cycle of the second 

25 orthomorphism. At step 148, the remaining cycles of the second orthomorphism are 

generated algebraically as discussed hereinabove in conjimction with FIG. 4B. At step 150, 
the substitution table is set by taking all the pairs of matching cycles and grouping them 
together, using one cycle as the input and the other as the output. 

While the present invention has been described in conjunction with preferred 

30 embodiments thereof, many modifications and variations will be apparent to those of ordinary 
skill in the art. The foregoing description and the following claim are intended to cover all 
such modifications and variations. 
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5 CLAIMS 
I claim: 

1. A method of generating block substitution tables for a predetermined block size, 
comprising: 

selecting a first generating function; 
10 selecting a second generating function; 

selecting first and second sets of complete linearly independent numbers; 

calculating first and second linear orthomorphisms fi-om the generating functions and 
the sets of Hnearly independent nxxmbers; and 

creating nonlinear block substitution tables by combining the linear orthomorphisms, 
15 the block substitution tables for use in encrypting clear text messages. 

2. The method of claim 1 , wherein selecting a first generating function includes 
selecting a first primitive generating function. 

3. The method of claim 1, wherein selecting a first generating function includes 
selecting a first non-primitive generating function. 

20 4. The method of claim 1 , wherein selecting a second generating function includes 

selecting a second primitive generating function. 

5. The method of claim 1, wherein selecting a second generating function includes 
selecting a second non-primitive generating fimction. 

6. The method of claim 5, wherein selecting a second non-primitive generating 

25 fimction includes selecting a second non-primitive generating function having a cycle pattern 
that is identical to a cycle pattern of the first generating function. 

7. The method of claim 1, wherein calculating first and second linear 
orthomorphisms includes calculating first and second maximal linear orthomorphisms fi-om 
the generating functions and the sets of linearly independent numbers. 

30 8. The method of claim 1 , further comprising rotating the second linear 

orthomorphism. 

9. The method of claim 8, wherein rotating the second linear orthomorphism includes 
rotating corresponding cycles of the second linear orthomorphism. 

10. The method of claim 1, wherein selecting a second generating function includes 
35 selecting a second generating function which is a complement of the first generating function. 



-30- 



5/11/05, EAST Version: 2.0.1.4 



wo 00/10285 PCT/US99/18538 

5 11. The method of claim 1 , wherein selecting a second generating function includes 

selecting a second generating function which is any generating function that is not identical to 
the first generating function and has a cycle structure which matches a cycle structure of the 
first generating function. 

12. The method of claim 1, wherein selecting first and second sets of linearly 

10 independent numbers includes selecting a second set of linearly independent numbers that is 
identical to the first set of linearly independent numbers. 

1 3 . The method of claim 1 , wherein selecting first and second sets of linearly 
independent numbers includes selecting a second set of linearly independent numbers that is 
not identical to the first set of linearly independent numbers. 

15 14. The method of claim 1 , further comprising determining whether all cycles of the 

first and second linear orthomorphisms are self-contained. 

15, The method of claim 14, further comprising selecting pairs of cycles fi-om the 
first and second linear orthomorphisms to produce a mapping for which N(x.y>tO for all pairs 
of numbers from different cycles. 
20 16. A computer-implemented method for generating nonlinear block substitution 

tables from binary data, comprising: 

selecting a first set of a plurality of complete linearly independent numbers from the 
binary data; 

selecting a second set of a plurality of complete linearly independent numbers from 
25 the binary data; 

generating a plurality of linear orthomorphisms using first and second recursive 
generating functions and the first and second sets of linearly independent numbers; and 

setting the substitution tables based on a combination of the linear orthomorphisms, 
the substitution tables for use in encrypting clear text messages which are in the form of a 
3 0 sequence of binary numbers. 

17. The method of claim 16, wherein the second generating function is a complement 
of the first generating function. 

18. A computer-implemented method for generating nonlinear block substitution 
tables from binary data, comprising: 

35 selecting a first set of a plurality of complete linearly independent numbers from the 

binary data; 

-31 - 



5/1 1/05, EAST Version: 2.0.1 .4 



wo 00/10285 PCT/US99/18538 

5 selecting a second set of a plurality of complete linearly independent numbers from 

the binary data; 

recursively applying a first generating function to the first set of linearly independent 
numbers to create a major cycle of a first orthomorphism; 

generating a plurality of cycles of the first orthomorphism; 
10 recursively applying a second generating fimction to the second set of linearly 

independent numbers to create a major cycle of a second orthomorphism; 
generating a plurality of cycles of the second orthomorphism; and 
setting the substitution tables by combining the linear orthomorphisms, the 
substitution tables for use in encrypting clear text messages which are in the form of an 
1 5 ordering of binary numbers. 

19. The method of claim 18, wherein the second generating function is a complement 
of the first generating fiinction. 

20. A system, comprising: 
a communications link; 

20 a first computer in communication with the communications link; and 

a second computer in communications with the commuiucations link, the second 
computer having an ordered set of data and instructions stored thereon which, when executed 
by the second computer, cause the second computer to perform the steps of: 
selecting a first generating fimction; 
25 selecting a second generating fimction; 

selecting first and second sets of complete linearly independent numbers; 
calculating first and second linear orthomorphisms from the generating fimctions and 
the sets of linearly independent numbers; and 

creating nonlinear block substitution tables by combining the linear orthomorphisms, 
30 the block substitution tables for use in encrypting clear text messages. 

21. A computer-readable medium having stored thereon instructions which, when 
executed by a processor, cause the processor to perform the steps of: 

selecting a first generating fimction; 
selecting a second generating fimction; 
35 selecting first and second sets of complete linearly independent mmibers; 
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calculating first and second linear orthomorphisms from the generating functions and 
the sets of linearly independent numbers; and 

creating nonlinear block substitution tables by combining the linear orthomorphisms, 
the block substitution tables for use in encrypting clear text messages. 

22. An apparatus, comprising: 

means for selecting a first generating fimction; 

means for selecting a second generating function; 

means for selecting first and second sets of complete linearly independent numbers; 

means for calculating first and second linear orthomorphisms fi^m the generating 
functions and the sets of linearly independent nimibers; and 

means for creating nonlinear block substitution tables by combining the linear 
orthomorphisms, the block substitution tables for use in encrypting clear text messages. 
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